Back to blog
CyberResilient

NIS2 Gap Analysis: How to Find Out Where You Actually Stand

Most Swedish organisations think they're further along than they are in NIS2 compliance. A gap analysis helps to demonstrate the truth. Here's what you need to know to do it correctly.

  • NIS2
  • Regulatory Compliance
  • Risk & Compliance
  • Regulatory Guide

Most Swedish organisations think they’re further along than they are in NIS2 compliance. A gap analysis helps to demonstrate the truth.

The Brief: A NIS2 gap analysis compares your current security posture against the NIS2 requirements and identifies exactly what’s missing. It covers Article 21 (risk management), Article 23 (incident reporting), supply-chain security, and accountability for board members and senior management. The output is a prioritised list of shortfalls, not opinions, but concrete gaps with owners, deadlines, and risk levels. Without one, you can’t plan. With one, you have a map.

What is a NIS2 gap analysis?

A NIS2 gap analysis is a structured comparison between what you have today and what the Cybersecurity Act requires. It is not the same as a maturity assessment. A maturity assessment measures how well your existing controls work. A gap analysis answers a simpler question: what is missing entirely?

The analysis covers four areas that mirror the NIS2 directive:

  • Governance and accountability: board engagement, documented decision-making, training
  • Risk management: risk register, treatment plans, recurring review
  • Incident handling: detection, response, reporting processes within 24 and 72 hours
  • Supply chain: due diligence, contracts, third-party monitoring

For each requirement, three questions get asked: Do we have it? Does it work? Can we prove it?

Why isn’t a checklist enough?

A checklist says yes or no. A gap analysis says why, how much, and what to do about it. The difference matters when an auditor is asking for evidence.

A gap analysis delivers three things a checklist cannot:

  1. Risk level per shortfall: not all gaps are equally serious, and prioritisation requires classification
  2. Ownership and deadline: every gap gets a named owner and a date
  3. Traceability over time: you can show you’re working on the gaps, which carries weight under supervision

Auditors and supervisory authorities are less interested in whether you are perfect and more interested in whether you know where you stand and if you have a plan. The gap analysis is the document that proves both.

How do you actually run a NIS2 gap analysis?

A NIS2 gap analysis runs in four steps with a specific order. Skipping step one is the most common reason why an analysis can be unusable.

Step 1: Set the scope. Which systems, processes, and business units are in? Are you an essential or an important entity under the Cybersecurity Act? Without clear scope, the result is unclear.

Step 2: Collect evidence, not opinions. Policies, minutes, training records, incident logs, risk registers. What isn’t documented doesn’t count — not under the Cybersecurity Act.

Step 3: Compare against Article 21 and Article 23. Each requirement gets a status: met, partially met, missing. Beware of “partially met”. This is where organisations gain a false sense of security.

Step 4: Prioritise and assign owners. Critical gaps first, then high risk, then medium. Every item gets a named owner and a completion date. Without assigned ownership, it is difficult to execute well.

A manual gap analysis with external consultants typically takes four to eight weeks. An AI-driven self-assessment produces a first version within hours.

Start an AI-driven assessment here

What if the gap analysis shows large shortfalls?

If a gap analysis has many gaps, don’t panic. This isn’t a final verdict, but a starting point. Organisations that walk into supervision with a documented gap analysis and an active remediation plan almost always fare better than those with nothing, even when they are technically further behind. That said, the gap analysis is also evidence of due diligence, but without it, leadership has no defence if an incident occurs.

What carries weight with the supervisory authority are three things: that you know what’s missing, that you have a plan to fix it, and that the plan is moving forward. An organisation at maturity level 2 with an upward trend line is better positioned than one at level 3 that’s standing still.

The biggest mistake is waiting until the analysis is “finished” before the work starts. The gap analysis is a living document that should be updated at least quarterly.

 

What this means

A NIS2 gap analysis is not a project. It’s a mirror. It shows where you stand, not where you thought you stood, and the difference between the two is usually larger than management wants to admit. Without a gap analysis, remediation work is guesswork. With one, you have a prioritised list, an owner per item, and a language the auditor understands. The first version doesn’t need to be perfect. It just needs to exist.

 

 

Frequently asked questions

What’s the difference between a gap analysis and a maturity assessment?

A gap analysis answers “do we have what’s required?”. A maturity assessment answers “how well does what we have work?”. The gap analysis is binary per requirement. The maturity assessment scores on a scale from 1 to 5. NIS2 calls for both, the gap analysis to find the holes, the maturity assessment to measure improvement over time.

Can we run a gap analysis ourselves or do we need consultants?

You can start on your own, and often that’s the better path. An internal gap analysis using a structured tool gives a first picture in a few hours and costs nothing. External consultants are needed when the scope is complex, when you need independent validation, or in preparation for a formal audit.

How often should a gap analysis be done?

At least once per quarter if you’re in active remediation, and at least once per year once you’ve reached a baseline. Legislation, threat landscape, and your own operations change; a gap analysis from last year is rarely accurate today.

Does our ISO 27001 certification count as a gap analysis?

No. ISO 27001 covers large parts of the NIS2 requirements but not all of them. Incident reporting within 24 and 72 hours, supply-chain requirements under Article 21, and personal accountability for management are areas where a complementary gap analysis is always needed.

1
Details
2
Verify
3
Org.
4
Welcome

Create a free account

Provide your email and choose a password.

OR

By continuing you agree to our Terms of Service and Privacy Policy.

Verify your email

We sent a 6-digit code to your email.

Didn't receive it?

About your organisation

Help us tailor your experience.

What industry are you in?

Company size

You're all set!

Your free account is ready. You have 2 free maturity assessments waiting for you — no credit card required.

Account created
2 free assessments activated
AI-powered recommendations included
Go to your dashboard
plan
1
Account
2
Verify
3
Org.
4
Billing
5
Payment

Create your account

Provide your email and choose a password.

OR

By continuing you agree to our Terms of Service and Privacy Policy.

Verify your email

We sent a 6-digit code to your email.

Didn't receive it?

About your organisation

Help us tailor your experience.

What industry are you in?

Company size

Choose your billing

Save 20% with an annual subscription.

Total today

Payment details

Your card will be charged .

Secured by Stripe. We never store your card details.

You're all set!

Your Pro subscription is now active.

Subscription activated
Unlimited maturity assessments
AI-powered recommendations included
Go to your dashboard